I'm not sure based on what you say that it'd be invasive. Enabling different types of QOP seems to be relatively straightforward, unless I'm missing something here. Chris did a good job describing what needs to be done, and this far I have the same understanding of the changes.
-Flavio > On 09 Oct 2015, at 15:30, Ivan Kelly <[email protected]> wrote: > > IMO, adding QOP to 3.4 would be a fairly large and invasive change, which > is something which shouldn't be done on the stable branch. > > -Ivan > > On Fri, Oct 9, 2015 at 4:02 PM Flavio Junqueira <[email protected]> wrote: > >> Not in the 3.4 branch, which is the latest stable branch at the moment. >> >> -Flavio >> >>> On 09 Oct 2015, at 15:00, Ivan Kelly <[email protected]> wrote: >>> >>> Is auth-int necessary if we have SSL on the client (as there is in >> trunk)? >>> My understanding is that all comms would have to be wrapped by sasl if >> you >>> have QOP enabled. >>> >>> -Ivan >>> >>> On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <[email protected]> wrote: >>> >>>> Hi Chris, >>>> >>>> Yeah, I was thinking along the same lines, so sounds like a plan. I know >>>> Raul is going to hate me for this, but I'd really like to have this in >>>> 3.4.7. It sounds like a simple enough change that we can have in >> shortly, >>>> does it sound right? >>>> >>>> Please go ahead with the jira if you have time, and if you don't have >> time >>>> to work on the patch, just assign it to me. >>>> >>>> -Flavio >>>> >>>> >>>>> On 08 Oct 2015, at 23:16, Chris Nauroth <[email protected]> >>>> wrote: >>>>> >>>>> Hi Flavio, >>>>> >>>>> It appears that the current code doesn't give us any way to control the >>>>> QOP, so it must be always using the default QOP of "auth" >> (authentication >>>>> only). This is because the calls to Sasl#createSaslClient and >>>>> Sasl#createSaslServer pass a hard-coded null for the properties map. >>>>> >>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>> keeper/client/ZooKeeperSaslClient.java#L240 >>>>> >>>>> >>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>> keeper/client/ZooKeeperSaslClient.java#L288 >>>>> >>>>> >>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>> keeper/server/ZooKeeperSaslServer.java#L118 >>>>> >>>>> >>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>> keeper/server/ZooKeeperSaslServer.java#L144 >>>>> >>>>> >>>>> If we want to support setting QOP to "auth-int" (authentication + >>>>> integrity/man-in-the-middle tampering protection) or "auth-conf" >>>>> (authentication + integrity + confidentiality/encryption), then I think >>>>> we'll need to make code changes to read a new QOP configuration >> property, >>>>> put it into a Map using Sasl#QOP as the key, and then pass it along to >>>> the >>>>> Sasl#createSaslClient and Sasl#createSaslServer calls. >>>>> >>>>> Is this what you need? If so, then I'd be happy to write up the >> proposal >>>>> in a new JIRA. I didn't find any existing open JIRAs that look >> relevant. >>>>> >>>>> --Chris Nauroth >>>>> >>>>> >>>>> >>>>> >>>>> On 10/8/15, 2:06 PM, "Flavio Junqueira" <[email protected]> wrote: >>>>> >>>>>> Has anyone tried to use the QOP (Quality of Protection) property for >>>> SASL >>>>>> when running ZooKeeper? >>>>>> >>>>>> -Flavio >>>>> >>>> >>>> >> >>
